By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

and features and capabilities added in recent years have only made these attack platforms more effective and more dangerous.

Users need to patch their Java, their Adobe software and their operating system vulnerabilities … These kits are not using zero-days; they cannot exploit you if you are patched.

Jason Jones, security researcher, HP DVLabs

It is common for malware architects to update crimeware toolkits with new exploit capabilities a few short hours after a software maker issues patches to repair vulnerabilities, said Jason Jones, a security researcher at Hewlett-Packard Co.'s TippingPoint DVLabs. Jones is scheduled to talk about Web exploit toolkits and their sophistication at the 2012 Black Hat Briefings in Las Vegas. He said cybercriminals behind the attack toolkits not only license them to attackers, but also provide frequent updates and even support services.

"These guys are stepping up," Jones said in an interview with SearchSecurity.com. "We need to keep on our toes and pushing the envelope to protect users."

Jones said he expects the toolkit authors to further advance their code-obfuscation efforts, making it difficult for security teams to detect the toolkit presence on websites. He predicts advances in JavaScript code obfuscation will cloak malicious code from automated technologies designed to detect suspicious website activity.

Security firms have been documenting a steady rise in attacks targeting Java, Adobe Flash and Microsoft vulnerabilities, fueled in large part by the Black Hole exploit kit. Like Phoenix and other attack toolkits, an annual license for the Black Hole toolkit had sold on hacker forums for as much as $1,500. Black Hole was made available for free download last year, creating the surge in Web-based attacks.

"Users need to patch their Java [installations], their Adobe software and their operating system vulnerabilities," Jones said. "These kits are not using zero-days; they cannot exploit you if you are patched."

More from Black Hat 2012

Attack toolkits have a lot in common. A control panel helps the attacker configure the toolkit to carry out a range of attacks. Most can be configured to ignore a specific IP range, Jones said, in order to avoid attacking a security firm or another entity the attacker doesn't want to attack. A dashboard typically displays reporting capabilities, letting the attacker know how many people viewed their attack pages and how many attacks were successful.

Attackers typically use crimeware kits to set up drive-by attacks. The kit can be used to target vulnerable websites and use those sites as attack platforms. An initial SQL injection or cross-site scripting (XSS) attack gains a foothold on a website. Using malicious JavaScript, the attacker loads an iFrame within the HTML on the page, which launches attacks on visitors to determine their operating system and whether their browsers and browser components are unpatched. If a vulnerability is found, the attack toolkit automatically exploits it, downloading malware onto a victim's machine.

Attack toolkits can contain as few as four exploits or up to a dozen or more. The longer a kit is around, Jones said, the more exploits it accumulates.

Attack toolkits are largely from Eastern Europe, Jones said, but newer exploit kits are emerging from Asia. While the toolkits aren't as sophisticated, they have been offering exploits that target more recently known vulnerabilities. The kits have fueled competition, pushing toolkit authors to rush updates to license holders.

"The Chinese exploit kits were taking market share because they could get more recent vulnerabilities in their kit," Jones said. "They see the success that these other guys are having and they may think they will have the same success or do it better."

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy